Security Advisor
2014 IT Security Predictions: Cloud Privacy and New Malware Targets To Dominate the Year
Cloud providers will look to answer for data privacy issues while attackers focus on Windows XP and non-traditional connected devices.
While IT had to contend with new vulnerabilities and denial of service attacks in 2013, the revelations of the active online surveillance by the United States National Security Agency (NSA) and the U.K.'s Government Communications Headquarters upstaged last year's latest crop of malware and traditional attacks.
Former NSA contractor Edward Snowden's leaked documents that pointed to the NSA's covert surveillance activities last summer shattered the confidence of IT professionals and nontechnical users, many of whom found themselves wondering if the government was leading IT service providers to access individual and enterprise online data that they thought was secure.
Snowden's leaked documents suggested that companies including Microsoft, Yahoo, Google, Apple, AT&T, Verizon and Facebook were helping the NSA access information using a bevy hacks, cracks and left-opened backdoors among those it felt may be plotting or involved in terrorist activities.
The accusations that many of the largest tech firms played a part in these massive government surveillance programs were met with categorical denials from players like Microsoft and Google that workarounds and backdoors were never created and that personal information were only handed over on a legal case-by-case basis. However, whether the classified leaks were true or not, seeds of doubt have been planted in the minds of IT, with more than 70 percent of Redmond readers expressing real concerns about government access of private data stored in the cloud in a survey conducted last summer.
These doubts caused large Internet firms to respond with plans to strengthen the security of data entering and leaving the cloud. Both Yahoo and Microsoft said services like Yahoo Mail and Office 365 will receive tighter encryption standards and, in the case of Microsoft, it will be looking at ways to protect data across all its online products and services.
This year, Microsoft plans to expand and strengthen its encryption services both regarding data in transit and at rest in its datacenters, General Counsel Brad Smith announced last month. The company is aiming to reinforce legal protection of personal data and plans to make its software code more transparent to assure third parties it contains no backdoors to tap user data.
Smith explained in a blog post when making last month's announcement that Microsoft's actions are in response to press accounts that Microsoft's online security measures are bypassed by governments. While Smith didn't mention Snowden by name, it was NSA documents leaked by Snowden that indicated that the NSA had worked with Microsoft to crack its data encryption, as well as reach into Microsoft's network with Microsoft's alleged participation in the NSA's PRISM program.
Yahoo last month also said it will start encrypting all email transmitted over its widely used network. Look for service providers of all types to continue to shore up efforts to regain customer confidence this year.
"We predict that CSPs will begin deploying technologies like encryption, administrative access controls, and other monitoring tools, and market these more aggressively to their customers," says Michele Borovac, chief marketing officer with HighCloud Security Inc. -- a firm specializing in cloud encryption and security. "Overall, I think this will improve data security for the entire industry, which is a good thing."
Windows XP's Attack Target Gets Larger
As for traditional vulnerabilities, the war between IT, security firms and attackers will rage on in this year -- however, the targets and landscape will continue to change. First off, for those who haven't been paying attention (or just ignoring the looming deadline), April 8 marks the end of official support for Windows XP. Microsoft has been beating the death drum for the past few years and has clearly outlined the possible scenarios for IT still running the more-than-a-decade-old OS: upgrade, pay for expensive custom XP support or do nothing and wait for the barrage of attacks targeted at Windows XP once Microsoft stops issuing patches.
Many enterprises and individuals still running XP don't have much time to decide which route they will take. "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities," wrote Tim Rains, director of product management in Microsoft's Trustworthy Computing group in a Microsoft blog entry in August of last year. "If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever."
New Targets
It isn't just PCs that are at risk. At the end of November, security firm Symantec revealed information of a new worm, called Linux.Darlloz, making the rounds. This nasty piece of code, which is just one in a line of new attacks, specifically targets Linux-based devices that aren't traditional PCs -- their objective is to infect those everyday devices, like smart TVs, routers, Blu-ray players and other appliances and electronics connected to the Internet. McAfee Inc. predicts the number of Android apps that have malicious code or are at high risk will approach 3 million. Oracle will stop supporting Java 6 next month as well, putting systems running the older Java Runtime Environment at risk.
As IT continues to adapt to including connected tablets and smartphones into its security plans, it will have to once again try to figure out how to bring in a whole slew of devices and appliances (market research firm ABI Research estimates that more than 30 billion devices will be connected to the Internet by the end of 2020) into the fold. While you may not be battling malware infecting the office break room microwave in 2014, it's a good idea to start planning now for these non-traditional, security vulnerable devices.
What's your prediction for IT security in the coming years? Will the big story continue to be cloud privacy? Will malware make a comeback as new targets emerge? Share your thoughts with me at [email protected] or add a comment below. I'll compile the very best and report back next week with your thoughts.